winlogbeat之windows日志微信报警


故事背景

公司人数五位数起,基于AD的域模式集中式管理。AD密码X天过期一次,用户输错Y次 锁定账号。

有一天AD管理员偷偷请我吃了顿饭,暗示说到能不能在用户账号被锁的时候 就发送一条微信给用户,引导用户自助解决AD账号被锁问题。

吃人的嘴软 拿人的手短,我于是满口答应了下来。

架构简述

现有的收集AD日志架构是通过winlogbeat 发送日志到elasticsearch

我的思路是通过winlogbeat 在发送一份日志到logstash中,通过logstash中output的exec执行Python脚本发送锁定日志给用户,并引导解锁。

环境搭建

安装 Winlogbeatedit

  1. Download the Winlogbeat zip file from the downloads page.
  2. Extract the contents into C:\Program Files.
  3. Rename the winlogbeat- directory to Winlogbeat.
  4. Open a PowerShell prompt as an Administrator (right-click on the PowerShell icon and select Run As Administrator). If you are running Windows XP, you may need to download and install PowerShell.
  5. Run the following commands to install the service.

PS C:\Users\Administrator> cd ‘C:\Program Files\Winlogbeat’

PS C:\Program Files\Winlogbeat> .\install-service-winlogbeat.ps1

注意 要是在powershell中执行不了上面的命令,就看下 下面的note

If script execution is disabled on your system, you need to set the execution policy for the current session to allow the script to run. For example: PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-winlogbeat.ps1.

配置 Winlogbeat

To configure Winlogbeat, you edit the winlogbeat.yml

配置发送日志到elasticsearch

output.elasticsearch:
  hosts: ["10.10.10.10:9200"]
  template.name: "winlogbeat"
  template.path: "winlogbeat.template.json"
  template.overwrite: false

配置发送日志到logstash

output.logstash:
  # The Logstash hosts
  hosts: ["10.10.10.10:5044"]

检查配置语法

.\winlogbeat.exe -c .\winlogbeat.yml -configtest -e

配置logstash

注意

output plugins的exec默认是没有安装的

This plugin does not ship with Logstash by default, but it is easy to install by running

bin/logstash-plugin install logstash-output-exec.

测试环境选用了一个监控服务状态的event_id

vi /etc/logstash/conf.d/winlogbeat.conf
input {
  beats {
    port => 5044
  }
}
filter{
    mutate{
    convert => ["event_id","string"]
    }
}
output {
    if [event_id] == "7036"{
    exec {
        command => "python3 /etc/logstash/conf.d/sendwechat.py \"%{message}\""
        }
    }
}

效果展示

《winlogbeat之windows日志微信报警》上有1条评论

  1. 您好,我想问等下,您在这次实验过程中python代码获取到的windows日志样式是什么样的?是xml格式,还是中文文本格式的?
    我目前的项目需要能够实时采集xml格式的AD日志以方便过滤筛选,一直都没有找到好的解决方案,不知道您的情形和我是否相似。

发表评论

电子邮件地址不会被公开。 必填项已用*标注